Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lz4: 1.9.1 -> 1.9.2 #82437

Merged
merged 1 commit into from Mar 12, 2020
Merged

lz4: 1.9.1 -> 1.9.2 #82437

merged 1 commit into from Mar 12, 2020

Conversation

mmilata
Copy link
Member

@mmilata mmilata commented Mar 12, 2020

Motivation for this change

Fixes: https://nvd.nist.gov/vuln/detail/CVE-2019-17543 (see also #73666)
Release notes: https://github.com/lz4/lz4/releases/tag/v1.9.2

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@mmilata mmilata changed the base branch from master to staging March 12, 2020 21:04
@alyssais alyssais merged commit 18ac6ba into NixOS:staging Mar 12, 2020
@mmilata mmilata deleted the lz4-192 branch March 12, 2020 23:00
@mmilata
Copy link
Member Author

mmilata commented Mar 12, 2020

@alyssais do you think this is worth backporting to 19.09 & 20.03? Upstream maintainer describes this as slim opportunity for out-of-bound write vs. CVE score 8.1 vs. lot of rebuilds.

vcunat pushed a commit that referenced this pull request Mar 15, 2020
@mmilata @vcunat
lz4: 1.9.1 -> 1.9.2 (PR #82437)
2dab4c1 
Fixes: https://nvd.nist.gov/vuln/detail/CVE-2019-17543
Release notes: https://github.com/lz4/lz4/releases/tag/v1.9.2

(cherry picked from commit 18ac6ba)
vcunat pushed a commit that referenced this pull request Mar 15, 2020
@mmilata @vcunat
lz4: 1.9.1 -> 1.9.2 (PR #82437)
cdd33cb 
Fixes: https://nvd.nist.gov/vuln/detail/CVE-2019-17543
Release notes: https://github.com/lz4/lz4/releases/tag/v1.9.2

(cherry picked from commit 18ac6ba)
@vcunat
Copy link
Member

vcunat commented Mar 15, 2020

Backported. The release notes sound safe. I see a regression reported but hopefully it won't really affect us 🤷‍♂️

@vcunat vcunat mentioned this pull request Mar 15, 2020
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314

@FRidh FRidh Awaiting requested review from FRidh

@ttuegel ttuegel Awaiting requested review from ttuegel

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 101-500 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@mmilata @vcunat @alyssais